Ask Acquia: How can I protect my Drupal website from XSS security vulnerabilities?

Cross Site Scripting (XSS) is a type of injection attack that takes advantage of the dynamic nature of a web page. XSS vulnerabilities present a real and potential threat to the websites you create and manage. In fact, as ofWhiteHat’s 2014 Website Security Statistics Report, XSS was the most common vulnerability found for almost every language used in website development.

In their 2014 white paper, the Drupal Security team states that over half of all contributed project Security Advisories reported at least one XSS vulnerability – a number more than double that of the next most common vulnerability class.

XSS is clearly a threat - but time spent wringing your hands is time wasted. Take a proactive approach to protecting your website by taking advantage of the resources Acquia has made available.

How can XSS be used to attack my site?

Because of the way XSS works, web applications such as comment boxes allow users to affect the content that a page generates. When these applications are not set to disallow “Full HTML” input format by anonymous users, malicious users can use that opening to embed client-side script into the page that will later be interpreted by the browser of anyone who views that content.

What can happen as the result of an XSS infection?

When visitors to your site view the infected page, it executes injected script, triggering the attack against your website. XSS attacks can be used to steal any information contained on the infected webpage, including the session cookie and username of any logged in visitor. Using this information, an attacker can gain access to any user’s account - including that of your site administrator. With all the privileges of full administrative access, the attacker can steal any data your administrator can view and lock you out of your own website.

Cross Site Scripting (XSS) is a type of injection attack that takes advantage of the dynamic nature of a web page. XSS vulnerabilities present a real and potential threat to the websites you create and manage. In fact, as ofWhiteHat’s 2014 Website Security Statistics Report, XSS was the most common vulnerability found for almost every language used in website development.

In their 2014 white paper, the Drupal Security team states that over half of all contributed project Security Advisories reported at least one XSS vulnerability – a number more than double that of the next most common vulnerability class.

XSS is clearly a threat - but time spent wringing your hands is time wasted. Take a proactive approach to protecting your website by taking advantage of the resources Acquia has made available.